BookLore Media API Authentication Bypass_CVE-2025-62614

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

BookLore is a self-hosted web app for organizing and managing personal book collections. In versions 1.8.1 and prior, an authentication bypass vulnerability in the BookMediaController allows any unauthenticated user to access and download book covers, thumbnails, and complete PDF/CBX page content without authorization. The vulnerability exists because multiple media endpoints lack proper access control annotations, and the CoverJwtFilter continues request processing even when no authentication token is provided. This enables attackers to enumerate and exfiltrate all book content from the system, bypassing the intended download permissions (canDownload) entirely. This issue has been patched via commit b226c43.

AI Analysis

Authentication bypass vulnerability in BookMediaController allowing unauthorized access to book content

Basic Information

ID CVE-2025-62614

Source GitHub_M

Published Oct 22, 2025 at 20:58

Affected Product

Vendor booklore-app

Product booklore

Version <= 1.8.1

Affected Versions booklore-app booklore <= 1.8.1

CWE Classification

CWE-862

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor booklore-app

Product BookLore

Version 1.8.1 and prior

References

{
    "lastseen": "",
    "description": "BookLore is a self-hosted web app for organizing and managing personal book collections. In versions 1.8.1 and prior, an authentication bypass vulnerability in the BookMediaController allows any unauthenticated user to access and download book covers, thumbnails, and complete PDF/CBX page content without authorization. The vulnerability exists because multiple media endpoints lack proper access control annotations, and the CoverJwtFilter continues request processing even when no authentication token is provided. This enables attackers to enumerate and exfiltrate all book content from the system, bypassing the intended download permissions (canDownload) entirely. This issue has been patched via commit b226c43.",
    "published": "2025-10-22T20:58:45.920Z",
    "modified": "2025-10-22T20:58:45.920Z",
    "type": "cve",
    "title": "BookLore Media API Authentication Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/booklore-app/booklore/security/advisories/GHSA-363g-fhcq-hvqp\nhttps://github.com/booklore-app/booklore/commit/b226c43343cd0cef4c1cd54bc3dcdef90b147133",
    "id": "CVE-2025-62614",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "booklore-app booklore <= 1.8.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "booklore",
    "version": "<= 1.8.1",
    "vendor": "booklore-app",
    "ai_description": "Authentication bypass vulnerability in BookMediaController allowing unauthorized access to book content",
    "ai_severity": "High",
    "ai_vendor": "booklore-app",
    "ai_product": "BookLore",
    "ai_version": "1.8.1 and prior",
    "ai_score": 8.7
}